Link to home
Create AccountLog in
Avatar of hellosoft
hellosoftFlag for India

asked on

Resolving Vulnerability

Hi,

i am running vulnerability scanning against my Exchange OWA, which is installed on Windows server 2008 R2 SP1 X64 bit and Hosted via TMG.

i am getting getting following vulnerability . i tried several ways to resolve but, none of them workded.

33929 - PCI DSS compliance Synopsis
Nessus has determined that this host is NOT COMPLIANT with the PCI DSS requirements.
Description
The remote web server is vulnerable to cross-site scripting (XSS) attacks, implements old SSL2.0 cryptography, runs obsolete software, or is affected by dangerous vulnerabilities (CVSS base score >= 4). If you are conducting this scan through the Nessus Perimeter Service Plugin, and if you disagree with the results, you may submit this report by clicking on 'Submit for PCI Validation' and dispute the findings through our web interface.
See Also
http://www.pcisecuritystandards.org/
http://en.wikipedia.org/wiki/PCI_DSS
Risk Factor
High
Plugin Information:
Publication date: 2008/08/07, Modification date: 2012/04/27
Ports tcp/0
+ Some services implement SSL 2.0. + A medium risk flaw was found. See :   http://www.nessus.org/plugins/index.php?view=single&id=20007


Please help me out.

Thanks,
Rafi
Avatar of skullnobrains
skullnobrains

you probably should not care at all, but nessus would definitely be happier if you upated IIS, and possibly the OS as well
Avatar of hellosoft

ASKER

Our Organization policy is to clear all such vulnerabilities.

if i update IIS on Exchange server hosted machine will it effect any thing .

Thanks,
Rafi
Automated tools... close to useless in indetifying real problems.
Sigh....

If you want to pass this test that proves nothing, then disable the protcol in the registry.
http://support.microsoft.com/kb/187498

Simon.
Thanks Simon,

but it also not working here.

R
stick a reverse-proxy in front of your exchange server. if you need to do an update everytime a vulnerability is discovered in exchange, you can book the next few years of your time.
You are right!
but, right i stick to that Job.


Any solution please .........
don't you have a detailed report that will actually tell what nessus does not like ?

you have an available patch for XSS issues here
http://technet.microsoft.com/en-us/security/bulletin/ms08-039

you may also want to read this
http://xforce.iss.net/xforce/xfdb/43329

anyway, first step would be to apply updates (IIS, exchange and windows)
you can see the detailed output given by nessus in my post.


Thanks for the links. let you know once i check those.


Thanks
i think you really need to change a few things in your company

1) make them understand that vulnerability scanners need to be run and interpreted by professionnals. the PCI DSS standards are mostly a foolish set of dumb pseudo-security rules that do not even actually cover the basics. there is no reason why they would apply to OWA in any way, unless you store credit card information in your email, meaning you really have other problems to solve

2) make them understand that tools that tell there is a vulnerability without saying which one precisely are useless at best, and lie most of the time. in your case, XSS is known to apply to exchange, SSLv2 applies to nothing because any browser that support SSLv3 (ie any browser that supports SSL) will negotiate SSLv3 anyway, CVSS scoring is useless when you do not know what it applies to, and older software does not mean less secure software.

3) most likely, your exchange server is open to the internet and running under an administrator account. if such crazily insecure practice exist in your company, they need to listen to professionnals (i guess you can be the one) instead of relying on automated software.

i'd be glad to help you with your problem directly, but basically, either an update will solve it and you probably already tried, or removing SSLv2 support will, and i know you already tried, or you just will have to wait for a possible patch. but to make things clear, any webmail has to do a little XSS in order to work properly.

i do not know what is detected by nessus, but it may well be impossible to correct if you need to maintain the level of functionalities of exchange the way owa is architectured.

i'm also 100% sure that running an exchange box facing the WAN is insecure by itself whatever patches you may apply

good luck any way
Wow,

you have given very good information i will keep these points in mind.

What ever you said about PCI DSS is right and i agree that. but, Perimeter Scanners also showing same thing because, we need to satisfy our Clients as well.

i can able to enable SSLv3 and it's not disabling SSLv2 . i tried all possible solutions available on internet and Microsoft postings also such as

http://support.microsoft.com/kb/187498
http://support.microsoft.com/kb/977377 

Thanks
ASKER CERTIFIED SOLUTION
Avatar of skullnobrains
skullnobrains

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account